Abstract

Anonymity of identity-based encryption (IBE) means that given a ciphertext, one cannot distinguish the target identity from a random identity. In this paper, we thoroughly discuss the anonymity of IBE systems. We found that the current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system. Furthermore, current definition cannot express the degree of anonymity. So we divide the degree of anonymity into weak anonymity and strong anonymity based on indistinguishability between different games. For weakly anonymous IBE systems, the target identity in a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext, while type 2 cannot. Based on our new definitions, we show that three famous IBE systems, Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different types of anonymity.

1. Introduction

Shamir [1] proposed the concept of identity-based encryption (IBE) in 1984 to simplify the public key infrastructure. In an IBE system, public keys for users can be formed from arbitrary strings such as e-mail addresses, IP addresses, or other meaningful strings. Anyone can encrypt messages using the identity, and only the owner of the corresponding secret key can decrypt the messages. But Shamir did not give a concrete construction of IBE until Boneh and Franklin [2] presented the first practical IBE system based on groups with efficiently computable bilinear maps. Another but less efficient IBE system using quadratic residues was proposed by Cocks [3]. After that, many new IBE systems are proposed [4–11].

Anonymous IBE was first noticed by Boyen [12] and later formalized by Abdalla et al. [13, 14]. Roughly speaking, an IBE system is said to be recipient anonymous or simply anonymous if the ciphertext leaks no information about the recipient’s identity. In other words, an attack cannot distinguish the target identity from a random identity for a ciphertext. Recently, people found that the anonymity of IBE can help to construct public key encryption with keyword search (PEKS) systems [13, 15–17].

The first anonymous IBE system is Boneh-Franklin IBE system [2]. In fact, this system has intrinsic anonymity; that is, its semantic security equals anonymity. But Boneh-Franklin IBE system is proposed in the random oracle model [18]. Boyen and Waters [8] gave the first construction of anonymous IBE in the standard model under the decisional bilinear Diffie-Hellman (BDH) and decisional linear assumptions. Another efficient construction of anonymous IBE in the standard model was proposed by Gentry [9], but it is proven secure under a dynamic and complicates assumption. After that, many new anonymous IBE systems in the standard model are proposed [19–21]. An extension of anonymous IBE, named committed blind anonymous IBE, was proposed by Camenisch et al. [22] in which a user can request the decryption key for a given identity without the key generation entity learning the identity.

When studying how to construct anonymous IBE systems, researchers have found if asymmetric bilinear maps are used in previous IBE systems [4–7]; these systems seem anonymous. But how to prove anonymous security of these systems from simple assumptions was unknown until Ducas [23] gave a positive answer. He showed that an IBE system can be proven anonymous with some minor modification. Another anonymous IBE system using asymmetric bilinear map is proposed by Chen et al. [24]. Recently, Herranz et al. [25] discussed the relations between semantic security and anonymity for IBE systems.

When an “anonymous” IBE system is constructed, we should prove its anonymity. It seems to prove anonymity for IBE systems, we only need to prove that we cannot distinguish the target identity from the challenge ciphertext in the security game for anonymity. However, current anonymous IBE systems, except Gentry IBE system [9], all use a stronger game called than the standard game for anonymity where the challenge ciphertext is composed of independently random group elements to prove anonymity. Obviously, if a valid ciphertext is indistinguishable from a random tuple, it is definitely anonymous. However, the game is overqualified for anonymity, because anonymity only requires that an attacker cannot distinguish the target identity for a ciphertext. Hence, current definition of anonymity is not complete enough to describe the anonymity of current IBE systems.

Our Results. We make a concrete analysis of the anonymity of identity-based encryption systems. We found that current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system [9]. Furthermore, current definition cannot express the degree of anonymity. By using the indistinguishability of some related security games, we divide anonymity into two degrees: weak anonymity and strong anonymity. Weak anonymity equals current definition of anonymity, in which the target identity for a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext for some identity, while type 2 cannot. Based on our discussion, we analyse some IBE systems. We show that three famous IBE systems, Gentry IBE System [9], Boyen-Waters IBE system [8], and Lewko IBE System [26], have strong but different types of anonymity.

Organization. The paper is organized as follows. We give necessary background information and definitions of security in Section 2. We then analyse the anonymity and define different degrees and types of anonymity in Section 3. In Section 4, we discuss the anonymity of some current IBE systems. At last we conclude the paper with Section 5.

2. Background

In this section, we briefly review the concepts of the bilinear maps, identity-based encryption, and its security models for semantic security and anonymity.

2.1. Bilinear Maps

Definition 1. Let , be two cyclic multiplicative groups with prime order . Let be a generator of and a bilinear map with the following properties:(1)bilinearity: for all and for all , one has ;(2)nondegeneracy: the map does not send all pairs in to the identity in . Observe that since are groups of prime order, this implies that if is a generator of then is a generator of .We say that is a bilinear group if the group operation in and the bilinear map are both efficiently computable.

Bilinear maps are also called pairings. We assume that there is an efficient algorithm for generating bilinear groups. The algorithm , on input a security parameter , outputs a tuple , where is a generator and .

2.2. Algorithms

An IBE system consists of the following four algorithms: Setup, KeyGen, Encrypt, and Decrypt.

Setup(1λ). This algorithm takes as input the security parameter and outputs a public key and a master secret key . The public key implies also a key space and an identity space .

KeyGen(MK, ℐ). This algorithm takes as input the master secret key and an identity and outputs a secret key associated with .

Encrypt(PK, ℐ, M). This algorithm takes as input the public key , an identity , and a message and outputs a ciphertext .

Decrypt(SKℐ, CT). This algorithm takes as input a secret key and the ciphertext . If the ciphertext is an encryption to , then the algorithm outputs the encrypted message .

2.3. Security Models

The chosen plaintext security (semantic security) and anonymity of an IBE system are defined according to the following -- (indistinguishability against full identity and chosen plaintext attacks) game and -- (anonymity against full identity and chosen plaintext attacks) game, respectively.

IND-ID-CPA Game

Setup. The challenger runs the Setup algorithm and gives to the adversary .

Phase 1. The adversary submits an identity . The challenger creates a secret key for that identity and gives it to the adversary.

Challenge. submits a challenge identity and two equal length messages to with the restriction that each identity given out in the key phase must not be . Then flips a random coin and passes the ciphertext Encrypt to .

Phase 2. Phase 1 is repeated with the restriction that any queried identity is not .

Guess. outputs its guess of .

The advantage of in this game is defined as .

Definition 2. One says that an IBE system is -- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in winning the -- game.

ANON-ID-CPA Game

Setup. The challenger runs the Setup algorithm and gives to the adversary .

Phase 1. The adversary submits an identity . The challenger creates a secret key for that identity and gives it to the adversary.

Challenge. submits two challenge identities and a message to with the restriction that each identity given out in the key phase must not be or . Then flips a random coin and passes the ciphertext to .

Phase 2. Phase 1 is repeated with the restriction that any queried identity is not or .

Guess. outputs its guess of .

The advantage of in this game is defined as .

Definition 3. One says that an IBE system is -- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in winning the -- game.

Some systems such as [8, 27] use weaker notions called -- (indistinguishability against selective identity and chosen plaintext attacks) security and -- (anonymity against selective identity and chosen plaintext attacks) security, which are against selective identity. In the selective identity models, the adversary submits the target identity (or , ) before public parameters are generated.

3. Analysis of Anonymity

Most IBE systems are constructed on bilinear maps. However, it is hard to construct anonymous IBE systems due to the bilinearity of bilinear maps, that is, for all and for all , we have . For pairing-based IBE systems, it is easy for us to test the target identity if an IBE system is not anonymous. Roughly speaking, if an IBE system is not anonymous, supposing that are components of a ciphertext of such a system, we can construct elements from the public parameters and some identity to check whether , where denotes the bilinear map used in the system. If the equation is true, the target identity is . Using this method, we can easily see that some previous IBE systems are not anonymous, such as [4–7, 10, 11].

Gentry proposed the concept of --- (anonymity and indistinguishability against full identity and chosen plaintext attacks) security in [9] which is the conjunction of -- security and -- security. It seems that Gentry’s definition is equivalent to -- security and -- security, but there is a flaw which makes them not equivalent. To make up this flaw in Gentry’s definition, we first review Gentry’s definition and rewrite these definitions using the indistinguishability between some similar security games.

ANON-IND-ID-CPA Game

Setup. The challenger runs the Setup algorithm and gives to the adversary .

Phase 1. The adversary submits an identity . The challenger creates a secret key for that identity and gives it to the adversary.

Challenge. submits two challenge identities and two equal length message to with the restriction that each identity given out in the key phase must not be or . Then picks two random bits and passes the ciphertext to .

Phase 2. Phase 1 is repeated with the restriction that any queried identity is not or .

Guess. outputs its guess of and of .

The advantage of in this game is defined as .

Definition 4. One says that an IBE system is --- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in winning the --- game.

Though the --- game is the conjunction of the -- game and the -- game, they are not always equivalent. If the assumption used in the -- game is different from the assumption used in the -- game, these two games cannot be combined to be the --- game. In Gentry’s definition, they are equivalent because only one assumption called the Decision -ABDHE assumption is used in these games.

To cover the difference caused by different assumptions and full or selective security, we focus on the core of these games. In the -- game, the adversary needs to distinguish an encryption of the chosen message from an encryption of a random message both for the challenge identity, while in the -- game, the adversary needs to distinguish an encryption for the challenge identity from an encryption for a random identity both of the chosen message. And in the combined --- game, the adversary needs to distinguish an encryption of the chosen message for the challenge identity from an encryption of a random message for a random identity. Hence, we can redefine these concepts using the indistinguishability between different challenge ciphertexts.

Let be a message and a challenge identity both chosen by the adversary. Let be a random message and a random identity. We define the following games which differ on what challenge ciphertext is given by the simulator to the adversary.(i): it is the basic game. The challenger runs the Setup algorithm and gives the public key to the adversary. The adversary can make a secret key query for , where is not equal to the target identity . The challenge ciphertext is .(ii): this is like except that the challenge ciphertext is .(iii): this is like except that the challenge ciphertext is .(iv): this is like except that the challenge ciphertext is .

Using the indistinguishability between these games, we rewrite the definitions of ---, --, and -- securities as follows.

Definition 5. One says that an IBE system is --- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in distinguishing between and .

Definition 6. One says that an IBE system is -- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in distinguishing between and .

Definition 7. One says that an IBE system is -- secure, if no probabilistic polynomial time adversary has a nonnegligible advantage in distinguishing between and .

Definitions for selective identity are similar except that in all the games the adversary should submit the target identity before public parameters are generated. Note that , , and are three different games. We have the following result for the relation between ANON-IND-ID-CPA security, IND-ID-CPA security, and ANON-ID-CPA security.

Lemma 8. If an IBE system is IND-ID-CPA secure and ANON-ID-CPA secure, then is ANON-IND-ID-CPA secure.

Proof. We have
where are both negligible. Equation (1) holds because is -- secure and (2) holds because is -- secure. So
which means that is --- secure.

However, it is still unknown whether ANON-IND-ID-CPA security is equivalent to -- security and -- security. The following lemma is an efficient method to prove the anonymity, which is used for some previous systems, such as Caro-Iovino-Persiano HIBE system [28], Seo-Cheon HIBE system [29].

Lemma 9. If an IBE system is IND-ID-CPA secure, and there is no polynomial time adversary who can distinguish between and with nonnegligible advantage, then is ANON-ID-CPA secure.

Proof. We have
where are all negligible. Equations (4) and (5) hold because is -- secure and (6) holds according to the hypothesis. So
which means that is -- secure.

In some anonymous IBE systems, such as Boyen-Waters anonymous IBE system, they use a new game called . We define it as follows.(i): this is like except that the challenge ciphertext consists of independent random group elements.

Note that is different from . Though they are similar concepts, they are not always equivalent. is a special game in which the challenge ciphertext is composed of independent random group elements, while the challenge ciphertext of is still a valid ciphertext. Since every element is random, the ciphertext leaks no information about the identity. So if the transition from to is computationally indistinguishable, the IBE system is no doubt anonymous. This proof method was used in Boyen-Waters anonymous IBE system and later anonymous IBE systems. Obviously, the transition from to is different from the transition from to . The difference leads to the following classification of anonymous IBE systems.

Definition 10 (weak anonymity). One says that an IBE system has weak anonymity, if no probabilistic polynomial time adversary has a nonnegligible advantage in distinguishing between and or distinguishing between and .

Definition 11 (strong anonymity). One says that an IBE system has strong anonymity, if no probabilistic polynomial time adversary has a nonnegligible advantage in distinguishing between and .

Obviously, weak anonymity is the standard definition shown in previous articles where the target identity is indistinguishable from a random identity. It is easy to see that weak anonymity is required for all anonymous IBE systems and strong anonymity implies weak anonymity. So weak anonymity is also called standard anonymity, while strong anonymity is called superstandard anonymity. In the next section, we will analyse some IBE systems based on our definitions of anonymity. We will see that these IBE systems all have strong anonymity. To further clarify the anonymity of IBE systems, we use the difference between and to define two types of anonymity, named type 1 anonymity and type 2 anonymity. First we define the equivalence of two games. Let , be two games. If any ciphertext output by can seem as a properly distributed ciphertext output by and vice versa, we say that equals or . Obviously, means that is indistinguishable from . However, if two games are indistinguishable, they are not always equivalent. For example, for any IND-IND-CPA secure IBE system, , but they are indistinguishable according to the definition of IND-ID-CPA security.

Definition 12. For an anonymous IBE system , if , one says that has type 1 anonymity, or else has type 2 anonymity.

If an IBE system has only weak anonymity, it is obvious that ; that is, has type 2 anonymity. So there is no type 1 anonymous IBE system with only weak anonymity. For a strongly anonymous IBE system, type 1 anonymity always means that it only needs to prove ’s anonymity in the ANON-IND-ID-CPA game or in the ANON-ID-CPA game, while type 2 anonymity always means that needs additional steps to prove strong anonymity, for example, proving the indistinguishability of transition from to .

Note that there is some IBE system which has the property , such as Boneh-Boyen IBE system. In Boneh-Boyen IBE system, a ciphertext is like , , . It is easy to see that a random tuple is still a valid ciphertext for some identity and message. But as we know, Boneh-Boyen IBE system is not anonymous because there is a gap between and .

4. Anonymity of Some IBE Systems

In this section, we analyse some IBE systems based on our definitions of anonymity. We discuss three famous anonymous IBE systems: Gentry IBE System [9], Boyen-Waters IBE system [8], and Lewko IBE System [26]. We show that these three IBE systems are all strongly anonymous but have different types.

We show that Gentry’s anonymous IBE system has type 1 strong anonymity. We first briefly describe Gentry IBE system as follows.

Setup(1λ). Given the security parameter , the setup algorithm first gets . Next it chooses another random generator and random integer . Then the setup algorithm sets . The public key is published as
and the master key is

KeyGen(MK, ℐ). To generate the secret key for an identity , the key extract algorithm chooses random and outputs as

The constraints are that and the PKG always uses the same random value for .

Encrypt(PK, ℐ, M). To encrypt a message for an identity , the algorithm chooses random integers and outputs the ciphertext as

Decrypt(SKℐ, CT). To decrypt a ciphertext for an identity , using the corresponding secret key outputs

Proof. Let be the set of all the possible ciphertext output by and the set of all the possible ciphertext outputs by . We will show that .Obviously, we have . Note that this claim is true for all IBE systems.Next, for a random tuple , where and , we say that it is a valid ciphertext of Gentry-AIBE system. At first we can set for some and then we can set for some identity and for some message . So we have .As a result, . This means that the challenge ciphertext output by can seem as a challenge ciphertext by and vice versa. Then for Gentry-AIBE system, .

For an anonymous IBE system, equation means that it is intrinsically strongly anonymous, just as we showed for Gentry IBE system in the previous section. The equation also holds for some previous systems, for example, Boneh-Franklin IBE system. But for some strongly anonymous IBE systems, it does not hold; that is, . In fact, these two games are computationally indistinguishable under some assumption, for example, the decisional linear assumption.

As an example, we will show that Boyen-Waters anonymous IBE system is a type 2 anonymous IBE system; that is, it does not satisfy the equation. We first briefly describe Boyen-Waters IBE system as follows.

Setup(1λ). Given the security parameter , the setup algorithm first gets , . Next it chooses another two random group elements and five random integers . Then the setup algorithm sets . The public key is published as
and the master key is

KeyGen(MK, ℐ). To generate the secret key for an identity , the key extract algorithm chooses random and outputs as

Encrypt(PK, ℐ, M). To encrypt a message for an identity , the algorithm chooses random integers and outputs the ciphertext as

Decrypt(SKℐ, CT). To decrypt a ciphertext for an identity , using the corresponding secret key outputs

Using the conjunction of Lemmas , and 3 in [8], we have the following result for Boyen-Waters IBE system.

Lemma 16. For Boyen-Waters IBE system, and are computationally indistinguishable under the decisional BDH and decisional linear assumptions.

Now we show that Boyen-Waters IBE system has type 2 anonymity.

Lemma 17. For Boyen-Waters IBE system, .

Proof. Given a random tuple where and , we say that it has at most probability to be a valid ciphertext of BW-AIBE system. At first we set and for some and , respectively, and then we can set for some , but a valid ciphertext requires that . Since is a random element of , so has only probability to be . When , the random tuple cannot be a valid ciphertext which means that .

Boyen-Waters IBE system only has selective security. We now show that a fully secure IBE system, Lewko IBE system, has type 2 full anonymity. Lewko IBE system is constructed from dual orthonormal bases and can seem as a translation of Lewko-Waters IBE system [11] in prime order groups. In Lewko’s original description, she only gave a proof for chosen plaintext security.

Lewko IBE system is constructed on dual orthonormal bases of dual pairing vector spaces. We first review vectors of group elements. Given a group element and a vector , we write to denote a -tuple of elements of . For any and , we have and . We also use to denote the pairing of vectors:

For a fixed (constant) dimension , we choose two random bases and of , subject to the constraint that

are called dual orthonormal bases and denotes the set of dual orthonormal bases. We then describe Lewko IBE system as follows.

Setup(1λ). Given the security parameter , the setup algorithm first gets , . Next it chooses random dual orthonormal bases from . Let and . It also chooses random values . The public key is published as

Encrypt(PK, ℐ, M). To encrypt a message for an identity , the algorithm chooses random integers and outputs the ciphertext as

Decrypt(SKℐ, CT). The decryption algorithm computes the message as

Security proof of Lewko IBE system used the dual system encryption technique [10]. Its semifunctional keys are like and its semifunctional ciphertext is where . Let be the game, where all returned keys are semifunctional and the challenge ciphertext is , where and . In [26], Lewko showed that is indistinguishable from under the subspace assumption. We continue her work and show that her IBE system has type 2 strong anonymity.

Definition 19. Given a group generation , one defines the following distribution:
We define the advantage of an algorithm in breaking the subspace assumption to be
We say that the subspace assumption holds if no probabilistic polynomial time algorithm has a nonnegligible advantage in breaking the subspace assumption.

Lemma 20. Let be the game, where all returned keys are semifunctional and the challenge ciphertext is , where and . If there exists a polynomial time algorithm , where , then we can construct a polynomial time algorithm with advantage to break the subspace assumption with and .

Proof. is given along with . should decide whether is distributed as or as .At first implicitly sets . Then can produce for the public parameters. Next sets . Note that only does not know . chooses random values for itself. It can compute as . It gives the public key
To respond a key query for , chooses random values . It will set . It forms the secret key as
At the challenge phase, receives two messages and a challenge identity . chooses a random bit , a random element , and random values and sets
If , then the exponent vector of is a random linear combination of and , so it is in . If the exponent of additionally has , it is in . Therefore, can use the output of to break the subspace assumption.

Theorem 21. Lewko IBE system has type 2 strong anonymity.

Proof. From Lemma 20 we know that the ciphertext of Lewko IBE system leaks no information about target identity, so it is anonymous.Furthermore, note that is a base of , so can seem a random element in . In other words, . So Lewko IBE system has strong anonymity.Obviously, the set of all possible is contained in . Note that any nonzero vectors in are not included in , so for Lewko IBE system which means that Lewko IBE system has type 2 anonymity.

4.4. Comparison

Like previous analysis for Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, we can analyse other anonymous IBE systems. A brief comparison for some anonymous IBE systems is given in Table 1. We would find that all listed IBE systems have strong anonymity, that is, superstandard anonymity. Though weak anonymity, that is, standard anonymity, is the current definition of anonymity, to the best of our knowledge, there is no IBE system having only weak anonymity. Hence we leave an open problem to construct an IBE system with only weak anonymity.

Table 1: Comparison.

5. Conclusion

In this paper, we discuss the anonymity of identity-based encryption systems. Anonymity can be divided into two degrees: weak anonymity and strong anonymity. If an IBE system has weak anonymity, the target identity of its ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types: type 1 means that a random tuple can be seen as a valid ciphertext for some identity, while type 2 cannot. We show that some current anonymous IBE systems, such as Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different type of anonymity. We hope that our analysis of anonymity would help to construct more anonymous IBE and related systems.

Acknowledgments

This work was supported by Chongqing Natural Science Foundation (no. cstc2013jcyjA40019) and the authors would like to thank the anonymous referees for helpful suggestions.

A. Lewko, “Tools for simulating features of composite order bilinear groups in the prime order setting,” in Advances in Cryptology, vol. 7237 of Lecture Notes in Computer Science, pp. 318–335, 2012.View at Google Scholar